Computer runs slow -- really slow!

[Bonksie]

Here are the RootRepeal logs. Hidden Services came up blank.


ROOTREPEAL (c) AD, 2007-2008
==================================================
Scan Time: 2009/05/10 17:42
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP3
==================================================
Drivers
-------------------
Name: 1394BUS.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\1394BUS.SYS
Address: 0xF7566000 Size: 57344 File Visible: -
Status: -
Name: ABP480N5.SYS
Image Path: ABP480N5.SYS
Address: 0xF774F000 Size: 23552 File Visible: -
Status: -
Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xF75A7000 Size: 188544 File Visible: -
Status: -
Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2265088 File Visible: -
Status: -
Name: adpu160m.sys
Image Path: adpu160m.sys
Address: 0xF787E000 Size: 101888 File Visible: -
Status: -
Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xAFAB9000 Size: 138496 File Visible: -
Status: -
Name: agp440.sys
Image Path: agp440.sys
Address: 0xF7556000 Size: 42368 File Visible: -
Status: -
Name: agpCPQ.sys
Image Path: agpCPQ.sys
Address: 0xF7526000 Size: 44928 File Visible: -
Status: -
Name: aha154x.sys
Image Path: aha154x.sys
Address: 0xF789F000 Size: 12800 File Visible: -
Status: -
Name: aic78u2.sys
Image Path: aic78u2.sys
Address: 0xF7657000 Size: 55168 File Visible: -
Status: -
Name: aic78xx.sys
Image Path: aic78xx.sys
Address: 0xF7627000 Size: 56960 File Visible: -
Status: -
Name: aliide.sys
Image Path: aliide.sys
Address: 0xF798B000 Size: 5248 File Visible: -
Status: -
Name: alim1541.sys
Image Path: alim1541.sys
Address: 0xF7546000 Size: 42752 File Visible: -
Status: -
Name: amdagp.sys
Image Path: amdagp.sys
Address: 0xF7536000 Size: 43008 File Visible: -
Status: -
Name: amsint.sys
Image Path: amsint.sys
Address: 0xF78AB000 Size: 12032 File Visible: -
Status: -
Name: arp1394.sys
Image Path: C:\WINDOWS\System32\DRIVERS\arp1394.sys
Address: 0xF7427000 Size: 60800 File Visible: -
Status: -
Name: asc.sys
Image Path: asc.sys
Address: 0xF771F000 Size: 26496 File Visible: -
Status: -
Name: asc3350p.sys
Image Path: asc3350p.sys
Address: 0xF7757000 Size: 22400 File Visible: -
Status: -
Name: asc3550.sys
Image Path: asc3550.sys
Address: 0xF78AF000 Size: 14848 File Visible: -
Status: -
Name: atapi.sys
Image Path: atapi.sys
Address: 0xF74A7000 Size: 96512 File Visible: -
Status: -
Name: audstub.sys
Image Path: C:\WINDOWS\System32\DRIVERS\audstub.sys
Address: 0xBA763000 Size: 3072 File Visible: -
Status: -
Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xF79D1000 Size: 4224 File Visible: -
Status: -
Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xF7897000 Size: 12288 File Visible: -
Status: -
Name: cbidf2k.sys
Image Path: cbidf2k.sys
Address: 0xF78B7000 Size: 13952 File Visible: -
Status: -
Name: cd20xrnt.sys
Image Path: cd20xrnt.sys
Address: 0xF7995000 Size: 7680 File Visible: -
Status: -
Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xBAEFD000 Size: 63744 File Visible: -
Status: -
Name: Cdr4_xp.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdr4_xp.SYS
Address: 0xF7ABC000 Size: 2432 File Visible: -
Status: -
Name: Cdralw2k.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdralw2k.SYS
Address: 0xF7ABD000 Size: 2560 File Visible: -
Status: -
Name: cdrom.sys
Image Path: C:\WINDOWS\System32\DRIVERS\cdrom.sys
Address: 0xBA350000 Size: 62976 File Visible: -
Status: -
Name: cdudf_xp.SYS
Image Path: C:\WINDOWS\System32\Drivers\cdudf_xp.SYS
Address: 0xAFC74000 Size: 259712 File Visible: -
Status: -
Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS
Address: 0xF76B7000 Size: 53248 File Visible: -
Status: -
Name: cmdide.sys
Image Path: cmdide.sys
Address: 0xF798D000 Size: 6656 File Visible: -
Status: -
Name: cmuda.sys
Image Path: C:\WINDOWS\system32\drivers\cmuda.sys
Address: 0xB9F2B000 Size: 1368000 File Visible: -
Status: -
Name: cpqarray.sys
Image Path: cpqarray.sys
Address: 0xF789B000 Size: 14976 File Visible: -
Status: -
Name: dac2w2k.sys
Image Path: dac2w2k.sys
Address: 0xF7852000 Size: 179584 File Visible: -
Status: -
Name: dac960nt.sys
Image Path: dac960nt.sys
Address: 0xF78A7000 Size: 14720 File Visible: -
Status: -
Name: disk.sys
Image Path: disk.sys
Address: 0xF76A7000 Size: 36352 File Visible: -
Status: -
Name: dpti2o.sys
Image Path: dpti2o.sys
Address: 0xF775F000 Size: 20192 File Visible: -
Status: -
Name: drmk.sys
Image Path: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xBA320000 Size: 61440 File Visible: -
Status: -
Name: dvd_2K.SYS
Image Path: C:\WINDOWS\System32\Drivers\dvd_2K.SYS
Address: 0xBADCB000 Size: 20832 File Visible: -
Status: -
Name: DVDVRRdr_xp.SYS
Image Path: C:\WINDOWS\System32\Drivers\DVDVRRdr_xp.SYS
Address: 0xAFC3E000 Size: 146560 File Visible: -
Status: -
Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xAFBCD000 Size: 12288 File Visible: -
Status: -
Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF9C3000 Size: 73728 File Visible: -
Status: -
Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xBA9BB000 Size: 4096 File Visible: -
Status: -
Name: e100b325.sys
Image Path: C:\WINDOWS\System32\DRIVERS\e100b325.sys
Address: 0xBA0CD000 Size: 145408 File Visible: -
Status: -
Name: fdc.sys
Image Path: C:\WINDOWS\System32\DRIVERS\fdc.sys
Address: 0xF777F000 Size: 27392 File Visible: -
Status: -
Name: Fips.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xBAF4D000 Size: 44672 File Visible: -
Status: -
Name: flpydisk.sys
Image Path: C:\WINDOWS\System32\DRIVERS\flpydisk.sys
Address: 0xBADBB000 Size: 20480 File Visible: -
Status: -
Name: fltmgr.sys
Image Path: fltmgr.sys
Address: 0xF7832000 Size: 129792 File Visible: -
Status: -
Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF79CF000 Size: 7936 File Visible: -
Status: -
Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xF74D7000 Size: 125696 File Visible: -
Status: -
Name: GEARAspiWDM.sys
Image Path: C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys
Address: 0xBADFB000 Size: 28672 File Visible: -
Status: -
Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x80700000 Size: 134400 File Visible: -
Status: -
Name: HIDCLASS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Address: 0xBAEDD000 Size: 36864 File Visible: -
Status: -
Name: HIDPARSE.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Address: 0xF779F000 Size: 28672 File Visible: -
Status: -
Name: hidusb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Address: 0xAFDB9000 Size: 10368 File Visible: -
Status: -
Name: hpn.sys
Image Path: hpn.sys
Address: 0xF776F000 Size: 25952 File Visible: -
Status: -
Name: HTTP.sys
Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xAF0E4000 Size: 264832 File Visible: -
Status: -
Name: i2omgmt.SYS
Image Path: C:\WINDOWS\System32\Drivers\i2omgmt.SYS
Address: 0xBA7B0000 Size: 8576 File Visible: -
Status: -
Name: i2omp.sys
Image Path: i2omp.sys
Address: 0xF772F000 Size: 18560 File Visible: -
Status: -
Name: i8042prt.sys
Image Path: C:\WINDOWS\System32\DRIVERS\i8042prt.sys
Address: 0xF7487000 Size: 53504 File Visible: -
Status: -
Name: imapi.sys
Image Path: C:\WINDOWS\System32\DRIVERS\imapi.sys
Address: 0xBA330000 Size: 42112 File Visible: -
Status: -
Name: ini910u.sys
Image Path: ini910u.sys
Address: 0xF78B3000 Size: 16000 File Visible: -
Status: -
Name: intelide.sys
Image Path: intelide.sys
Address: 0xF7993000 Size: 5504 File Visible: -
Status: -
Name: intelppm.sys
Image Path: C:\WINDOWS\System32\DRIVERS\intelppm.sys
Address: 0xBAD2B000 Size: 40448 File Visible: -
Status: -
Name: ipnat.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ipnat.sys
Address: 0xAFB2B000 Size: 152832 File Visible: -
Status: -
Name: ipsec.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ipsec.sys
Address: 0xAFBAA000 Size: 75264 File Visible: -
Status: -
Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xF75F7000 Size: 37760 File Visible: -
Status: -
Name: kbdclass.sys
Image Path: C:\WINDOWS\System32\DRIVERS\kbdclass.sys
Address: 0xBADDB000 Size: 25088 File Visible: -
Status: -
Name: kbdhid.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdhid.sys
Address: 0xAFDB1000 Size: 14720 File Visible: -
Status: -
Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xF7987000 Size: 8192 File Visible: -
Status: -
Name: kmixer.sys
Image Path: C:\WINDOWS\system32\drivers\kmixer.sys
Address: 0xADFBF000 Size: 172416 File Visible: -
Status: -
Name: ks.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ks.sys
Address: 0xBA096000 Size: 143360 File Visible: -
Status: -
Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xF795E000 Size: 92288 File Visible: -
Status: -
Name: Lbd.sys
Image Path: Lbd.sys
Address: 0xF76C7000 Size: 57472 File Visible: -
Status: -
Name: mbr.sys
Image Path: C:\DOCUME~1\Dad\LOCALS~1\Temp\mbr.sys
Address: 0xAFB13000 Size: 11776 File Visible: No
Status: -
Name: mnmdd.SYS
Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xF79D3000 Size: 4224 File Visible: -
Status: -
Name: mouclass.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mouclass.sys
Address: 0xBAE03000 Size: 23552 File Visible: -
Status: -
Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xF7607000 Size: 42368 File Visible: -
Status: -
Name: mraid35x.sys
Image Path: mraid35x.sys
Address: 0xF7727000 Size: 17280 File Visible: -
Status: -
Name: mrxdav.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mrxdav.sys
Address: 0xAF14D000 Size: 180608 File Visible: -
Status: -
Name: mrxsmb.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mrxsmb.sys
Address: 0xAF97E000 Size: 455296 File Visible: -
Status: -
Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xF77AF000 Size: 19072 File Visible: -
Status: -
Name: msgpc.sys
Image Path: C:\WINDOWS\System32\DRIVERS\msgpc.sys
Address: 0xBA2E0000 Size: 35072 File Visible: -
Status: -
Name: mssmbios.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mssmbios.sys
Address: 0xBAE37000 Size: 15488 File Visible: -
Status: -
Name: Mup.sys
Image Path: Mup.sys
Address: 0xBAEA3000 Size: 105344 File Visible: -
Status: -
Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xF7A0F000 Size: 182656 File Visible: -
Status: -
Name: ndistapi.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ndistapi.sys
Address: 0xBAE43000 Size: 10112 File Visible: -
Status: -
Name: ndisuio.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ndisuio.sys
Address: 0xAF43A000 Size: 14592 File Visible: -
Status: -
Name: ndiswan.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ndiswan.sys
Address: 0xB9EF0000 Size: 91520 File Visible: -
Status: -
Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xBA2C0000 Size: 40576 File Visible: -
Status: -
Name: netbios.sys
Image Path: C:\WINDOWS\System32\DRIVERS\netbios.sys
Address: 0xF7437000 Size: 34688 File Visible: -
Status: -
Name: netbt.sys
Image Path: C:\WINDOWS\System32\DRIVERS\netbt.sys
Address: 0xAFADB000 Size: 162816 File Visible: -
Status: -
Name: nic1394.sys
Image Path: C:\WINDOWS\System32\DRIVERS\nic1394.sys
Address: 0xF7497000 Size: 61824 File Visible: -
Status: -
Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xF77B7000 Size: 30848 File Visible: -
Status: -
Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xF7B52000 Size: 574976 File Visible: -
Status: -
Name: ntoskrnl.exe
Image Path: C:\WINDOWS\system32\ntoskrnl.exe
Address: 0x804D7000 Size: 2265088 File Visible: -
Status: -
Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xF7ABE000 Size: 2944 File Visible: -
Status: -
Name: nv4_disp.dll
Image Path: C:\WINDOWS\System32\nv4_disp.dll
Address: 0xBF9D5000 Size: 3903488 File Visible: -
Status: -
Name: nv4_mini.sys
Image Path: C:\WINDOWS\System32\DRIVERS\nv4_mini.sys
Address: 0xBA129000 Size: 1275168 File Visible: -
Status: -
Name: nvcap.sys
Image Path: C:\WINDOWS\System32\DRIVERS\nvcap.sys
Address: 0xAF593000 Size: 115104 File Visible: -
Status: -
Name: nvtunep.sys
Image Path: C:\WINDOWS\System32\DRIVERS\nvtunep.sys
Address: 0xB9E59000 Size: 19008 File Visible: -
Status: -
Name: nvtvsnd.sys
Image Path: C:\WINDOWS\System32\DRIVERS\nvtvsnd.sys
Address: 0xB9E61000 Size: 19712 File Visible: -
Status: -
Name: NVxbar.sys
Image Path: C:\WINDOWS\System32\DRIVERS\NVxbar.sys
Address: 0xAFB1F000 Size: 12192 File Visible: -
Status: -
Name: ohci1394.sys
Image Path: ohci1394.sys
Address: 0xF7576000 Size: 61696 File Visible: -
Status: -
Name: P1120Vid.sys
Image Path: C:\WINDOWS\system32\DRIVERS\P1120Vid.sys
Address: 0xAFCE8000 Size: 754528 File Visible: -
Status: -
Name: parport.sys
Image Path: C:\WINDOWS\System32\DRIVERS\parport.sys
Address: 0xBA0B9000 Size: 80256 File Visible: -
Status: -
Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xF770F000 Size: 19712 File Visible: -
Status: -
Name: ParVdm.SYS
Image Path: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Address: 0xAFCC4000 Size: 6912 File Visible: -
Status: -
Name: pci.sys
Image Path: pci.sys
Address: 0xF7596000 Size: 68224 File Visible: -
Status: -
Name: pciide.sys
Image Path: pciide.sys
Address: 0xF7A4F000 Size: 3328 File Visible: -
Status: -
Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS
Address: 0xF7707000 Size: 28672 File Visible: -
Status: -
Name: perc2.sys
Image Path: perc2.sys
Address: 0xF7767000 Size: 27296 File Visible: -
Status: -
Name: perc2hib.sys
Image Path: perc2hib.sys
Address: 0xF7997000 Size: 5504 File Visible: -
Status: -
Name: pfc.sys
Image Path: C:\WINDOWS\system32\drivers\pfc.sys
Address: 0xBAE4F000 Size: 9856 File Visible: -
Status: -
Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2265088 File Visible: -
Status: -
Name: portcls.sys
Image Path: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xB9F07000 Size: 147456 File Visible: -
Status: -
Name: psched.sys
Image Path: C:\WINDOWS\System32\DRIVERS\psched.sys
Address: 0xB9EDF000 Size: 69120 File Visible: -
Status: -
Name: ptilink.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ptilink.sys
Address: 0xBADEB000 Size: 17792 File Visible: -
Status: -
Name: pwd_2k.SYS
Image Path: C:\WINDOWS\System32\Drivers\pwd_2k.SYS
Address: 0xBA079000 Size: 116480 File Visible: -
Status: -
Name: PxHelp20.sys
Image Path: PxHelp20.sys
Address: 0xF76D7000 Size: 36320 File Visible: -
Status: -
Name: ql1080.sys
Image Path: ql1080.sys
Address: 0xF7677000 Size: 40320 File Visible: -
Status: -
Name: ql10wnt.sys
Image Path: ql10wnt.sys
Address: 0xF7637000 Size: 33152 File Visible: -
Status: -
Name: ql12160.sys
Image Path: ql12160.sys
Address: 0xF7697000 Size: 45312 File Visible: -
Status: -
Name: ql1240.sys
Image Path: ql1240.sys
Address: 0xF7647000 Size: 40448 File Visible: -
Status: -
Name: ql1280.sys
Image Path: ql1280.sys
Address: 0xF7687000 Size: 49024 File Visible: -
Status: -
Name: rasacd.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rasacd.sys
Address: 0xB8EFD000 Size: 8832 File Visible: -
Status: -
Name: rasl2tp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rasl2tp.sys
Address: 0xBA310000 Size: 51328 File Visible: -
Status: -
Name: raspppoe.sys
Image Path: C:\WINDOWS\System32\DRIVERS\raspppoe.sys
Address: 0xBA300000 Size: 41472 File Visible: -
Status: -
Name: raspptp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\raspptp.sys
Address: 0xBA2F0000 Size: 48384 File Visible: -
Status: -
Name: raspti.sys
Image Path: C:\WINDOWS\System32\DRIVERS\raspti.sys
Address: 0xBADE3000 Size: 16512 File Visible: -
Status: -
Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2265088 File Visible: -
Status: -
Name: rdbss.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rdbss.sys
Address: 0xAF9EE000 Size: 175744 File Visible: -
Status: -
Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xF79D5000 Size: 4224 File Visible: -
Status: -

[Bonksie]

Name: redbook.sys
Image Path: C:\WINDOWS\System32\DRIVERS\redbook.sys
Address: 0xBA340000 Size: 58112 File Visible: -
Status: -
Name: rootrepeal.com.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.com.sys
Address: 0xAEBBA000 Size: 45056 File Visible: No
Status: -
Name: SCSIPORT.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\SCSIPORT.SYS
Address: 0xF74BF000 Size: 98304 File Visible: -
Status: -
Name: serenum.sys
Image Path: C:\WINDOWS\System32\DRIVERS\serenum.sys
Address: 0xBAE53000 Size: 15744 File Visible: -
Status: -
Name: serial.sys
Image Path: C:\WINDOWS\System32\DRIVERS\serial.sys
Address: 0xBAD1B000 Size: 65536 File Visible: -
Status: -
Name: sisagp.sys
Image Path: sisagp.sys
Address: 0xF7586000 Size: 40960 File Visible: -
Status: -
Name: siside.sys
Image Path: siside.sys
Address: 0xF799B000 Size: 6016 File Visible: -
Status: -
Name: sparrow.sys
Image Path: sparrow.sys
Address: 0xF7717000 Size: 19072 File Visible: -
Status: -
Name: sr.sys
Image Path: sr.sys
Address: 0xF7975000 Size: 73472 File Visible: -
Status: -
Name: srv.sys
Image Path: C:\WINDOWS\System32\DRIVERS\srv.sys
Address: 0xAEFA2000 Size: 333952 File Visible: -
Status: -
Name: STREAM.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\STREAM.SYS
Address: 0xF7457000 Size: 53248 File Visible: -
Status: -
Name: swenum.sys
Image Path: C:\WINDOWS\System32\DRIVERS\swenum.sys
Address: 0xF79BB000 Size: 4352 File Visible: -
Status: -
Name: sym_hi.sys
Image Path: sym_hi.sys
Address: 0xF773F000 Size: 28384 File Visible: -
Status: -
Name: sym_u3.sys
Image Path: sym_u3.sys
Address: 0xF7747000 Size: 30688 File Visible: -
Status: -
Name: symc810.sys
Image Path: symc810.sys
Address: 0xF78A3000 Size: 16256 File Visible: -
Status: -
Name: symc8xx.sys
Image Path: symc8xx.sys
Address: 0xF7737000 Size: 32640 File Visible: -
Status: -
Name: sysaudio.sys
Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xAEC2A000 Size: 60800 File Visible: -
Status: -
Name: tcpip.sys
Image Path: C:\WINDOWS\System32\DRIVERS\tcpip.sys
Address: 0xAFB51000 Size: 361600 File Visible: -
Status: -
Name: TDI.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\TDI.SYS
Address: 0xBADF3000 Size: 20480 File Visible: -
Status: -
Name: termdd.sys
Image Path: C:\WINDOWS\System32\DRIVERS\termdd.sys
Address: 0xBA2D0000 Size: 40704 File Visible: -
Status: -
Name: toside.sys
Image Path: toside.sys
Address: 0xF798F000 Size: 4992 File Visible: -
Status: -
Name: UdfReadr_xp.SYS
Image Path: C:\WINDOWS\System32\Drivers\UdfReadr_xp.SYS
Address: 0xAFBF7000 Size: 213120 File Visible: -
Status: -
Name: UimFIO.SYS
Image Path: C:\WINDOWS\System32\Drivers\UimFIO.SYS
Address: 0xF79D7000 Size: 8192 File Visible: -
Status: -
Name: ulsata.sys
Image Path: ulsata.sys
Address: 0xF76F7000 Size: 64384 File Visible: -
Status: -
Name: ultra.sys
Image Path: ultra.sys
Address: 0xF7667000 Size: 36736 File Visible: -
Status: -
Name: update.sys
Image Path: C:\WINDOWS\System32\DRIVERS\update.sys
Address: 0xB9E81000 Size: 384768 File Visible: -
Status: -
Name: usbccgp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbccgp.sys
Address: 0xF77CF000 Size: 32128 File Visible: -
Status: -
Name: USBD.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\USBD.SYS
Address: 0xF79C3000 Size: 8192 File Visible: -
Status: -
Name: usbehci.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbehci.sys
Address: 0xF781F000 Size: 30208 File Visible: -
Status: -
Name: usbhub.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbhub.sys
Address: 0xF7477000 Size: 59520 File Visible: -
Status: -
Name: USBPORT.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\USBPORT.SYS
Address: 0xBA0F1000 Size: 147456 File Visible: -
Status: -
Name: usbprint.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbprint.sys
Address: 0xF77C7000 Size: 25856 File Visible: -
Status: -
Name: USBSTOR.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS
Address: 0xF77DF000 Size: 26368 File Visible: -
Status: -
Name: usbuhci.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbuhci.sys
Address: 0xF7817000 Size: 20608 File Visible: -
Status: -
Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xF77A7000 Size: 20992 File Visible: -
Status: -
Name: viaagp.sys
Image Path: viaagp.sys
Address: 0xF76E7000 Size: 42240 File Visible: -
Status: -
Name: viaide.sys
Image Path: viaide.sys
Address: 0xF7991000 Size: 5376 File Visible: -
Status: -
Name: viaidexp.sys
Image Path: viaidexp.sys
Address: 0xF7999000 Size: 6144 File Visible: -
Status: -
Name: viasraid.sys
Image Path: viasraid.sys
Address: 0xBAF5D000 Size: 75904 File Visible: -
Status: -
Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\VIDEOPRT.SYS
Address: 0xBA115000 Size: 81920 File Visible: -
Status: -
Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xF7617000 Size: 53504 File Visible: -
Status: -
Name: wanarp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\wanarp.sys
Address: 0xF7447000 Size: 34560 File Visible: -
Status: -
Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xB9E79000 Size: 20480 File Visible: -
Status: -
Name: wdmaud.sys
Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xAEB2D000 Size: 83072 File Visible: -
Status: -
Name: WDMCAPI.sys
Image Path: WDMCAPI.sys
Address: 0xBAF70000 Size: 587776 File Visible: -
Status: -
Name: wdmwanmp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\wdmwanmp.sys
Address: 0xBADD3000 Size: 26112 File Visible: -
Status: -
Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1847296 File Visible: -
Status: -
Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1847296 File Visible: -
Status: -
Name: WMILIB.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\WMILIB.SYS
Address: 0xF7989000 Size: 8192 File Visible: -
Status: -
Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2265088 File Visible: -
Status: -
Name: WudfPf.sys
Image Path: WudfPf.sys
Address: 0xF7A3C000 Size: 77568 File Visible: -
Status: -


+++++++++++++++++++++++++++++++++

ROOTREPEAL (c) AD, 2007-2008
==================================================
Scan Time: 2009/05/10 17:43
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP3
==================================================
Stealth Objects
-------------------
Object: Hidden Code [Driver: WDMCAPI, IRP_MJ_READ]
Process: System Address: 0x00000000 Size: -
Object: Hidden Code [Driver: WDMCAPI, IRP_MJ_WRITE]
Process: System Address: 0x00000000 Size: -

+++++++++++++++++++++++++++++++++++
ROOTREPEAL (c) AD, 2007-2008
==================================================
Scan Time: 2009/05/10 17:43
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP3
==================================================
Hidden Services
-------------------



+++++++++++++++++++++++++++++++++++


That's it!

Hope it makes some sense to you.

[Jintan]

Not enough sense right now. I will need to review all the info and consider what is involved there, as well as asking others for their input.

For now, run one additional scan and post those results, but I will not likely provide any further assessments until later today (my time). FYI - it may display certain items not being found during the scan, which is normal.


Go here and download reglooks.exe to your Desktop. Doubleclick on it to run it and when it has finished scanning, a log named result.txt will open in Notepad. Copy the log and post it in this thread.

[Bonksie]

Jintan:

Here are the RegLooks scan results.

REGLOOKS logfile - version 0.980
Scan started: 10/05/2009 18:33:02.23
--- INFORMATION ---
Operating System: Microsoft Windows XP Home Edition - version 5.1.2600 - Service Pack 3
Bootmode: Normal boot
User: Dad (Administrator account)
TOTAL RAM: 2047 MB (free 1667 MB - 81%)

--- SIGCHECK ---
C:\WINDOWS\explorer.exe -- [1037312] -- [14/04/2008 19:02] -- sigcheck OK
C:\WINDOWS\system32\ctfmon.exe -- [15360] -- [14/04/2008 19:02] -- sigcheck OK
C:\WINDOWS\system32\lsass.exe -- [13312] -- [14/04/2008 19:03] -- sigcheck OK
C:\WINDOWS\system32\ntkrnlpa.exe -- [2028544] -- [09/02/2009 13:27] -- sigcheck OK
C:\WINDOWS\system32\ntoskrnl.exe -- [2149888] -- [09/02/2009 13:27] -- sigcheck OK
C:\WINDOWS\system32\services.exe -- [111104] -- [09/02/2009 13:27] -- sigcheck OK
C:\WINDOWS\system32\sfcfiles.dll -- [1571840] -- [14/04/2008 19:02] -- sigcheck OK
C:\WINDOWS\system32\spoolsv.exe -- [57856] -- [14/04/2008 19:03] -- sigcheck OK
C:\WINDOWS\system32\svchost.exe -- [14336] -- [14/04/2008 19:03] -- sigcheck OK
C:\WINDOWS\system32\termsrv.dll -- [297472] -- [14/04/2008 19:02] -- sigcheck OK
C:\WINDOWS\system32\user32.dll -- [580096] -- [14/04/2008 19:02] -- sigcheck OK
C:\WINDOWS\system32\userinit.exe -- [26112] -- [14/04/2008 19:03] -- sigcheck OK
C:\WINDOWS\system32\wininet.dll -- [826368] -- [03/03/2009 02:16] -- sigcheck OK
C:\WINDOWS\system32\winlogon.exe -- [510464] -- [14/04/2008 19:03] -- sigcheck OK
C:\WINDOWS\system32\ws2_32.dll -- [82432] -- [14/04/2008 19:02] -- sigcheck OK
C:\WINDOWS\system32\wuauclt.exe -- [51224] -- [16/10/2008 15:09] -- sigcheck OK
C:\WINDOWS\system32\drivers\ip6fw.sys -- [36608] -- [13/04/2008 20:53] -- sigcheck OK
C:\WINDOWS\system32\drivers\ndis.sys -- [182656] -- [13/04/2008 21:20] -- sigcheck OK
C:\WINDOWS\system32\drivers\tcpip.sys -- [361600] -- [20/06/2008 13:51] -- sigcheck OK

--- SSODL regkeys ---
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}" -- File: %SystemRoot%\system32\SHELL32.dll -- [?]
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}" -- File: %SystemRoot%\system32\SHELL32.dll -- [?]
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" -- File: C:\WINDOWS\system32\webcheck.dll -- [233472] -- [20/02/2009 19:18]
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}" -- File: C:\WINDOWS\System32\stobject.dll -- [122368] -- [14/04/2008 19:02]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}" -- File: C:\WINDOWS\system32\WPDShServiceObj.dll -- [133632] -- [18/10/2006 22:47]

--- STS regkeys ---
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Preloader van browseui" -- File: %SystemRoot%\System32\browseui.dll -- [?]
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Cache-daemon voor onderdeelcategorieën" -- File: %SystemRoot%\System32\browseui.dll -- [?]

--- USERINIT regkey ---
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.ex e,"
File: C:\WINDOWS\system32\userinit.exe -- [26112] -- [14/04/2008 19:03]

--- SHELL regkey ---
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe"
File: C:\WINDOWS\Explorer.exe -- [1037312] -- [14/04/2008 19:02]

--- SYSTEM regkey ---
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

--- APPINIT_DLLS regkey ---
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

--- NOTIFY regkey ---
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
-- File: C:\WINDOWS\system32\crypt32.dll -- [602624] -- [14/04/2008 19:02]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
-- File: C:\WINDOWS\system32\cryptnet.dll -- [64512] -- [14/04/2008 19:02]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
-- File: C:\WINDOWS\system32\cscdll.dll -- [102400] -- [14/04/2008 19:02]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]
-- File: %SystemRoot%\System32\dimsntfy.dll -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
-- File: C:\WINDOWS\system32\wlnotify.dll -- [93696] -- [14/04/2008 19:02]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
-- File: C:\WINDOWS\system32\wlnotify.dll -- [93696] -- [14/04/2008 19:02]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
-- File: C:\WINDOWS\system32\sclgntfy.dll -- [21504] -- [14/04/2008 19:02]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
-- File: C:\WINDOWS\system32\WlNotify.dll -- [93696] -- [14/04/2008 19:02]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
-- File: C:\WINDOWS\system32\wlnotify.dll -- [93696] -- [14/04/2008 19:02]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
-- File: C:\WINDOWS\system32\WgaLogon.dll -- [236928] -- [15/03/2007 18:16]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
-- File: C:\WINDOWS\system32\wlnotify.dll -- [93696] -- [14/04/2008 19:02]

--- RUN / LOAD regkeys ---
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"load"=""
[Windows\Load]

--- SHELLEXECUTEHOOKS regkey ---
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" -- File: shell32.dll -- [?]

--- HKLM AUTORUN regkeys ---
[HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor]
"AutoRun"=""

--- HKCU AUTORUN regkeys ---
[HKEY_CURRENT_USER\Software\Microsoft\Command Processor]
no AutoRun regkey found

--- HKLM\RUN regkey ---
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"NVIDIA Remote Control Panel" -- File: NVAREM.EXE /S /Q /R /L /A1 /B0 /C0 /D2 /E0 -- [?]
"RoxioEngineUtility" -- File "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" -- [65536] -- [01/05/2003 18:44]
"Adobe Photo Downloader" -- File "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" -- [57344] -- [06/06/2005 23:46]
"Ad-Watch" -- File: C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe -- [?]
"MSConfig" -- File: C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto -- [?]

--- HKLM\RUNONCE regkey ---
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnce]
no runonce values found

--- HKLM\RUNONCEEX regkey ---
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnceEx]
no runonceex values found

--- HKLM\RUNSERVICES regkey ---
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunServices]
key not found

--- HKLM\RUNSERVICESONCE regkey ---
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunServicesOnce]
no runservicesonce values found

--- HKCU\RUN regkey ---
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"MSMSGS" -- File: "C:\Program Files\Messenger\msmsgs.exe" /background -- [?]
"TomTomHOME.exe" -- File "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe" -- [251240] -- [18/03/2009 02:03]
"ctfmon.exe" -- File C:\WINDOWS\system32\ctfmon.exe -- [15360] -- [14/04/2008 19:02]
"WMPNSCFG" -- File C:\Program Files\Windows Media Player\WMPNSCFG.exe -- [204288] -- [18/10/2006 21:05]

--- HKCU\RUNONCE regkey ---
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\RunOnce]
no runonce values found

--- HKCU\RUNONCEEX regkey ---
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\RunOnceEx]
no runonceex values found

--- HKCU\RUNSERVICES regkey ---
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\RunServices]
key not found

--- HKCU\RUNSERVICESONCE regkey ---
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\RunServicesOnce]
no runservicesonce values found

--- HKU\.DEFAULT\Run regkeys - Default user ---
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE" -- File C:\WINDOWS\System32\CTFMON.EXE -- [15360] -- [14/04/2008 19:02]
"NvMediaCenter" -- File: RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit -- [?]

--- HKU\S-1-5-18\Run regkeys - user SYSTEM ---
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE" -- File C:\WINDOWS\System32\CTFMON.EXE -- [15360] -- [14/04/2008 19:02]
"NvMediaCenter" -- File: RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit -- [?]

--- HKU\S-1-5-19\Run regkeys - User Lokale service ---
[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE" -- File C:\WINDOWS\System32\CTFMON.EXE -- [15360] -- [14/04/2008 19:02]

--- HKU\S-1-5-20\Run regkeys - User Lokale service ---
[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE" -- File C:\WINDOWS\System32\CTFMON.EXE -- [15360] -- [14/04/2008 19:02]

--- HKLM\Explorer\Run regkeys ---
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Policies\Explorer\Run]
no run values found

--- HKCU\Explorer\Run regkeys ---
[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\Explorer\Run]
no run values found

--- Image File Execution regkeys ---
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
no debuggers found

--- BROWSER HELPER OBJECTS regkeys ---
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
-- File: C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll -- [59032] -- [18/12/2006 04:16]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]
-- CLSID not found
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
-- File: C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll -- [408440] -- [17/02/2009 17:11]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
-- File: C:\Program Files\Java\jre6\bin\jp2ssv.dll -- [35840] -- [09/03/2009 05:18]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
-- File: C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll -- [73728] -- [09/03/2009 05:18]

--- TOOLBAR regkeys ---
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
no toolbars found

--- HKLM\URLSEARCHHOOKS regkeys ---
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\URLSearchHooks]
key not found

--- HKCU\URLSEARCHHOOKS regkeys ---
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
{CFBFAE00-17A6-11D0-99CB-00C04FD64497} -- File: C:\WINDOWS\system32\ieframe.dll -- [6066176] -- [20/02/2009 19:18]

--- SRCEENSAVER regkey ---
[HKEY_CURRENT_USER\Control Panel\Desktop]
scrnsave.exe value not found

--- ALTERNATESHELL regkey ---
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot]
File: C:\WINDOWS\system32\cmd.exe -- [399872] -- [14/04/2008 19:02]

--- SECURITYPROVIDERS regkey ---
[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
File: C:\WINDOWS\system32\msapsspc.dll -- [86016] -- [14/04/2008 19:02]
File: C:\WINDOWS\system32\schannel.dll -- [144896] -- [05/12/2008 08:58]
File: C:\WINDOWS\system32\digest.dll -- [68608] -- [14/04/2008 19:02]
File: C:\WINDOWS\system32\msnsspc.dll -- [290816] -- [14/04/2008 19:02]

--- Active Setup\Installed Components regkey ---
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}]
-- File: C:\WINDOWS\system32\ieudinit.exe -- [13824] -- [20/02/2009 12:20]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
-- File: %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
-- File: RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS]
-- filepath not found
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
-- File: %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608555}]
-- filepath not found
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2337076a-dd0c-43a6-8d85-54070578a42f}]
-- filepath not found
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{233C1507-6A77-46A4-9443-F871F945D258}]
-- filepath not found
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2A202491-F00D-11cf-87CC-0020AFEECF20}]
-- filepath not found
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
-- File: %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{377483c2-e4b4-4ee8-b577-9aed264c8735}]
-- filepath not found
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
-- File: "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
-- File: rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser .NT -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}]
-- filepath not found
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
-- File: rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
-- File: rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp11.inf,PerUserStub -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{73fa19d0-2d75-11d2-995d-00c04f98bbc9}]
-- filepath not found
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
-- File: regsvr32.exe /s /n /i:U shell32.dll -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
-- File: C:\WINDOWS\system32\ie4uinit.exe -BaseSettings -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
-- File: C:\WINDOWS\system32\ie4uinit.exe -BaseSettings -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
-- File: c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{96543d59-497a-4801-a1f3-5936aacaf7b1}]
-- filepath not found
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{f15ee071-deb7-4cbb-951f-431c98338d8e}]
-- filepath not found
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{F5776D81-AE53-4935-8E84-B0B283D8BCEF}]
-- filepath not found

[Bonksie]

--- Services regkey ---
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\CCALib8]
-- File: C:\Program Files\Canon\CAL\CALMAIN.exe -- [96370] -- [31/01/2007 15:55]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Cdr4_xp]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Cdralw2k]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\cdudf_xp]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\DVDVRRdr_xp]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\dvd_2K]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\JavaQuickStarterService]
-- File: "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf" -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Lavasoft Ad-Aware Service]
-- File: "C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe" -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Lbd]
-- File: system32\DRIVERS\Lbd.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\mbr]
-- File: \??\C:\DOCUME~1\Dad\LOCALS~1\Temp\mbr.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\mmc_2K]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\P1120VID]
-- File: system32\DRIVERS\P1120Vid.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\pwd_2k]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SiSide]
-- File: SYSTEM32\DRIVERS\siside.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\swwd]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\TomTomHOMEService]
-- File: C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe -- [92008] -- [18/03/2009 02:03]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\UdfReadr_xp]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\UimBus]
-- File: system32\DRIVERS\UimBus.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Uim_IM]
-- File: System32\Drivers\Uim_IM.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\VXD]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\WDMCAPI]
-- File: System32\DRIVERS\WDMCAPI.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\{95D93F63-EC12-49F3-9090-0C6830F41485}]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\{A3E79A54-9234-40AD-B57A-12D7D2824FE7}]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\{C03DF779-8F66-40B5-8BEB-286C881E0283}]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\{CB6E84C7-4EC0-4376-987C-3D3717EB0D81}]
-- filepath not found

--- SAFEBOOT MINIMAL SERVICES ---
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal
Lavasoft Ad-Aware Service
{533C5B84-EC70-11D2-9505-00C04F79DEAF}

--- SAFEBOOT Network SERVICES ---
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Network
DnsCache
Lavasoft Ad-Aware Service

--- BOOTEXECUTE regkey ---
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Session Manager]
"BootExecute"= autocheck autochk *\0lsdelete\0\0

--- PENDINGFILERENAMEOPERATIONS regkey ---
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Session Manager]
PendingFileRenameOperations key not found

--- WOW-CMDLINE regkeys ---
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\WOW]
"cmdline" = %SystemRoot%\system32\ntvdm.exe
"cmdline" = %SystemRoot%\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386

--- NETSVCS regkey ---
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] -- NETSVCS
0WmdmPmSN

--- DNS SERVER regkeys ---
no "NameServer" values found

--- File associations ---
.BAT files: ("%1" %*)
.COM files: ("%1" %*)
.EXE files: ("%1" %*)
.HLP files: (%SystemRoot%\System32\winhlp32.exe %1)
.INF files: (%SystemRoot%\System32\NOTEPAD.EXE %1)
.INI files: (%SystemRoot%\System32\NOTEPAD.EXE %1)
.JS files: (%SystemRoot%\System32\WScript.exe "%1" %*)
.PIF files: ("%1" %*)
.REG files: (regedit.exe "%1")
.SCR files: ("%1" /S)
.TXT files: (%SystemRoot%\system32\NOTEPAD.EXE %1)
.VBS files: (%SystemRoot%\System32\WScript.exe "%1" %*)

--- STARTUP FOLDERS ---
C:\Documents and Settings\Dad\Menu Start\Programma's\Opstarten\desktop.ini -- [84] -- [17/11/2003 22:46]
C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\desktop.ini -- [84] -- [17/11/2003 22:46]

--- TASK SCHEDULER JOBS ---
C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job -- [472] -- [08/05/2009 19:52]

Scan completed: 10/05/2009 18:34:01.15
FINISHED

++++++++++++++++++++++++++++++

BTW, thanks a lot for your help. It's greatly appreciated.

Regards
Graham

[Jintan]

Let's go with a scan that also can effect repairs it sees necessary, instead of just these analysis views.



Download ComboFix.exe from here to your desktop, but I would like you to rename the file as you download it (do not download it directly without renaming it - use right click "Save Target/Link As" ). For this, rename the downloading file to combi.com, then click the renamed combi.com to run that scan.

Be sure to install the Recovery Console if you are asked to do so. When the scan completes, a text window with your log will open. Please copy and paste that log back here.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

[Bonksie]

Here is the log from the ComboFix scan. There seems to be a lot of Dutch in here -- shout if there's something you need translated.



ComboFix 09-05-11.01 - Dad 11/05/2009 19:52.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.31.1043.18.2047.1657 [GMT 2:00]
Gestart vanuit: c:\documents and settings\Dad\Bureaublad\Combi.com
.
(((((((((((((((((((( Bestanden Gemaakt van 2009-04-11 to 2009-05-11 ))))))))))))))))))))))))))))))
.
2009-05-11 15:21 . 2009-05-11 15:21 108 ---ha-w c:\windows\system32\x10prod.sys
2009-05-07 17:14 . 2009-05-07 17:14 71680 ----a-w C:\mbr.exe
2009-05-04 17:59 . 2009-05-04 18:01 -------- d-----w C:\rsit
2009-05-04 14:25 . 2001-09-06 19:27 5632 ----a-w c:\windows\system32\ptpusb.dll
2009-05-04 14:25 . 2008-04-13 18:45 15104 -c--a-w c:\windows\system32\dllcache\usbscan.sys
2009-05-04 14:25 . 2008-04-13 18:45 15104 ----a-w c:\windows\system32\drivers\usbscan.sys
2009-05-04 14:25 . 2008-04-14 17:02 159232 ----a-w c:\windows\system32\ptpusd.dll
2009-05-03 13:40 . 2009-05-03 13:40 -------- d-----w c:\program files\Trend Micro
2009-05-03 12:14 . 2009-05-03 12:14 -------- d-----w c:\documents and settings\Dad\Application Data\Malwarebytes
2009-05-03 12:14 . 2009-04-06 13:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-03 12:14 . 2009-04-06 13:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-03 12:14 . 2009-05-03 12:14 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-03 12:14 . 2009-05-03 12:14 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-03 12:04 . 2009-05-03 12:04 -------- d-----w c:\program files\Windows Installer Clean Up
2009-05-03 12:03 . 2009-05-03 12:03 -------- d-----w c:\program files\MSECACHE
2009-04-28 12:44 . 2009-05-11 15:22 -------- d-----w c:\documents and settings\Joy\Tracing
2009-04-26 14:10 . 2009-05-08 21:21 -------- d-----w c:\documents and settings\Dad\Tracing
2009-04-26 14:07 . 2009-04-26 14:07 -------- d-----w c:\program files\Windows Live SkyDrive
2009-04-26 13:58 . 2009-04-26 13:58 -------- d-----w c:\program files\Common Files\Windows Live
2009-04-16 17:19 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 17:19 . 2009-03-06 14:23 285696 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-16 17:19 . 2009-02-09 11:27 111104 -c----w c:\windows\system32\dllcache\services.exe
2009-04-16 17:19 . 2009-02-09 10:56 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 17:19 . 2009-02-09 10:56 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 17:19 . 2009-02-09 10:56 684544 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 17:19 . 2009-02-09 10:56 734208 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 17:19 . 2009-02-09 10:56 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 17:19 . 2009-02-09 10:56 735744 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 17:14 . 2008-04-21 21:16 218624 -c----w c:\windows\system32\dllcache\wordpad.exe
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-05-11 17:38 . 2008-08-28 07:41 -------- d-----w c:\program files\xnews
2009-05-10 18:35 . 2007-02-28 21:25 -------- d-----w c:\program files\Mozilla Thunderbird
2009-04-26 14:07 . 2006-04-28 09:48 -------- d-----w c:\program files\Microsoft
2009-04-26 14:06 . 2008-04-09 19:10 -------- d-----w c:\program files\Windows Live
2009-04-24 17:53 . 2009-02-14 15:24 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-04-24 17:52 . 2009-02-13 18:52 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-04-17 08:48 . 2003-11-17 21:32 84304 ----a-w c:\windows\system32\perfc013.dat
2009-04-17 08:48 . 2003-11-17 21:32 475050 ----a-w c:\windows\system32\perfh013.dat
2009-04-11 12:31 . 2006-12-07 19:29 -------- d-----w c:\program files\Java
2009-04-04 14:52 . 2009-04-04 14:52 -------- d-----w c:\program files\TomTom International B.V
2009-04-04 14:50 . 2008-12-22 18:34 -------- d-----w c:\program files\TomTom HOME 2
2009-03-28 13:01 . 2006-08-31 18:39 -------- d-----w c:\program files\QuickTime
2009-03-28 12:58 . 2006-12-07 19:27 -------- d-----w c:\program files\LimeWire
2009-03-28 12:56 . 2007-06-03 15:56 -------- d-----w c:\program files\DigiTech
2009-03-28 12:35 . 2006-04-28 21:30 -------- d-----w c:\program files\Windows Media Connect 2
2009-03-23 16:56 . 2006-04-30 06:54 82856 ----a-w c:\documents and settings\Joy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-22 11:19 . 2009-03-22 11:16 -------- d-----w c:\program files\Canon
2009-03-22 11:11 . 2009-03-22 11:11 -------- d-----w c:\program files\Common Files\Canon
2009-03-13 21:05 . 2006-04-28 20:51 82856 ----a-w c:\documents and settings\Dad\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-09 03:19 . 2009-02-07 10:34 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:23 . 2003-12-22 23:20 285696 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:16 . 2006-02-24 13:22 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-22 18:51 . 2009-02-22 18:51 56 ---ha-w c:\windows\system32\ezsidmv.dat
2009-02-20 17:18 . 2004-08-04 08:03 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-12 13:26 . 2006-04-29 11:07 82856 ----a-w c:\documents and settings\Akadia\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-01-28 19:49 . 2008-01-28 19:50 774144 ----a-w c:\program files\RngInterstitial.dll
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))) )
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-03-18 251240]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-04-24 516440]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\M SConfig.exe" [2008-04-14 172032]
"NVIDIA Remote Control Panel"="NVAREM.EXE" - c:\windows\system32\nvarem.exe [2003-07-30 139264]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
"NvMediaCenter"="c:\windows\System32\NVMCTRAY. DLL" [2003-07-28 49152]
c:\documents and settings\Joy\Menu Start\Programma's\Opstarten\
OneNote 2007 Schermopname en Snel starten.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Dad^Menu Start^Programma's^Opstarten^OneNote 2007 Schermopname en Snel starten.lnk]
path=c:\documents and settings\Dad\Menu Start\Programma's\Opstarten\OneNote 2007 Schermopname en Snel starten.lnk
backup=c:\windows\pss\OneNote 2007 Schermopname en Snel starten.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Dad^Menu Start^Programma's^Opstarten^OneNote-inhoudsopgave.onetoc2]
path=c:\documents and settings\Dad\Menu Start\Programma's\Opstarten\OneNote-inhoudsopgave.onetoc2
backup=c:\windows\pss\OneNote-inhoudsopgave.onetoc2Startup
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\StubInstaller.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [13/02/2009 20:52 64160]
R0 viaide1;viaide1;c:\windows\system32\drivers\viaide xp.sys [22/12/2003 22:50 6144]
R0 viasraid;viasraid;c:\windows\system32\drivers\vias raid.sys [22/12/2003 22:50 75904]
R0 WDMCAPI;ISDN PCI CAPI;c:\windows\system32\drivers\WDMCAPI.sys [28/04/2006 11:41 587776]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [18/01/2009 23:34 953168]
R2 nvTUNEP;nVidia WDM TVTuner;c:\windows\system32\drivers\NVTUNEP.SYS [28/04/2006 11:45 20580]
R2 nvtvSND;nVidia WDM TVAudio Crossbar;c:\windows\system32\drivers\NVTVSND.SYS [28/04/2006 11:45 22644]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [18/03/2009 02:03 92008]
R3 P1120VID;Creative WebCam NX Ultra;c:\windows\system32\drivers\P1120Vid.sys [21/05/2006 22:47 759050]
R3 WDMWANMP;NDIS WAN miniport;c:\windows\system32\drivers\wdmwanmp.sys [28/04/2006 11:41 26112]
S3 CEUSBAUD;DigiTech USB MIDI Driver;c:\windows\system32\drivers\ceusbaud.sys [01/11/2003 22:19 17920]
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{7d5c4f6a-d28d-11dd-b49f-487444737531}]
\Shell\AutoRun\command - K:\InstallTomTomHOME.exe
.
Inhoud van de 'Gedeelde Taken' map
2009-05-08 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 17:52]
.
.
------- Bijkomende Scan -------
.
uStart Page = hxxp://www.hotsheet.com/
uInternet Connection Wizard,ShellNext = hxxp://www.standbyservice.nl/
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {15589FA1-C456-11CE-BF01-000000000000} - hxxp://www.errornuker.com/products/errn2004/installers/default/ErrorNukerInstaller.exe
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A}
DPF: {BC0AE9E6-E549-4554-A222-EA083A894683} - hxxp://a01-b01.mypicturetown.com/P2PwebCmdController/x/Upld_47.CAB
.
************************************************** ************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-11 19:59
Windows 5.1.2600 Service Pack 3 NTFS
scannen van verborgen processen ...
scannen van verborgen autostart items ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
NVIDIA Remote Control Panel = NVAREM.EXE /S /Q /R /L /A1 /B0 /C0 /D2 /E0???????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????? ????????? ?? ?????????????????? !"#$%&'
scannen van verborgen bestanden ...
Scan succesvol afgerond
verborgen bestanden: 0
************************************************** ************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\U lSata]
"ImagePath"="SYSTEM32\DRIVERS\ulsata.sys\00lled: \00.\0d\0a\00Audio (Multi) -"
.
--------------------- DLLs Geladen Onder Lopende Processen ---------------------
- - - - - - - > 'explorer.exe'(2976)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Voltooingstijd: 2009-05-11 20:02
ComboFix-quarantined-files.txt 2009-05-11 18:02
Pre-Run: 82,711,216,128 bytes beschikbaar
Post-Run: 84,698,034,176 bytes beschikbaar
WindowsXP-KB310994-SP2-Home-BootDisk-NLD.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micro soft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
181 --- E O F --- 2009-04-29 20:00

[Jintan]

At the end of the ComboFix log some additional but still unlear info shows related to those driver changes.

I would like to check a backup copy ComboFix made of the system hive file there.

Navigate to the following hilighted file, and zip a copy of it:

C:\WINDOWS\ERDNT\Hiv-backup\system


Then just go here, press new topic, fill in the needed details and just give a link to your post back here. Then press the browse button and then navigate to & select that zipped file on your computer.

You DO NOT need to be a member to upload, anybody can upload the files. You will not be able to see the file once uploaded.

[Jintan]

At the end of the ComboFix log is some additional but still unclear info showing, related to those driver changes.

I would like to check a backup copy ComboFix made of the system hive file there.

Navigate to the following hilighted file, and zip a copy of it:

C:\WINDOWS\ERDNT\Hiv-backup\system


Then just go here, press new topic, fill in the needed details and just give a link to your post back here. Then press the browse button and then navigate to & select that zipped file on your computer.

You DO NOT need to be a member to upload, anybody can upload the files. You will not be able to see the file once uploaded.

[Bonksie]

I have linked the post on spykiller.co.uk to this thread.

[Jintan]

Very unusual. What make and model is this computer please? Just asking to verify this is a cloned install, such as many large manufacturers like to do.


As for the hive info you uploaded, these show:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\S iSide]
"ImagePath"=SYSTEM32\DRIVERS\siside.sysNST\Control Set001\Services

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\U lSata]
"ImagePath"=SYSTEM32\DRIVERS\ulsata.syslled: .
Audio (Multi) -

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\v iaide1]
"ImagePath"=SYSTEM32\DRIVERS\viaidexp.sysT\Control Set001\Services\via

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\v iaide1]
"ImagePath"=SYSTEM32\DRIVERS\viasraid.sysCriticalD eviceDatabase\viai

Boot device drivers with unseen information added to their values. Why I am just not sure right now. We can use a Regedit or other method to correct those, but I sure would like to know what created them before attempting that. If it is not just due to some corruption occurring to those entries, then altering them nay lead to problems. Let me check on this further, before we decide on any further action here.

[Bonksie]

Does this help?


Sky Computers Europe
Model MS-6743
Processor x86 Family 15 Model 2 Stepping 9 GenuineIntel ~2600 Mhz
BIOS-Phoenix Technologies, LTD 6.00 PG, 25/06/2003
SMBIOS-version 2.2

The computer was bought at a large department store affiliated with Dixons Electronics.

[Jintan]

The info just suggests that Windows copy is "imaged" onto the drive, which occurs with large production systems. Just really unclear what needs to be corrected there yet. These also from the earlier RootRepal log - related to modem drivers I believe:

Object: Hidden Code [Driver: WDMCAPI, IRP_MJ_READ]
Process: System Address: 0x00000000 Size: -
Object: Hidden Code [Driver: WDMCAPI, IRP_MJ_WRITE]
Process: System Address: 0x00000000 Size: -

Go here and download USEC.at's radix_installer_trial.zip. Then unzip that and click the radixgui.exe to open the scan display.

Then without making any changes click the Check button to start the scan. Once it has completed click the Save Log button and save that to a location you can return to. Then click the "X" to close the Radix scanner.

!!!Caution - the Radix scanner has many settings and options, including many that can cause quick and permanent corruption to your operating system. Avoid the temptation to try any other options, scans or settings when using it.

That log will be too large for forum posting, so zip a copy of it and send it to jintan@malwarecrypt.com as an attachment. Please place "Submitted Files -Bonksie/cth/rdx" as the email Subject.

[Bonksie]

The Radix scan has been zipped and sent to you.

Jeez, don't you ever sleep?

[Jintan]

Hmm - other than sorry for not noticing you already had Radix, that log didn't get through email for some reason. Given that, I'll go back and check your earlier log you already sent, compared to this current info.